When a denial-of-service-attack victim receives attack traffic with spoofed source IP addresses, the attack victim cannot differentiate between this spoofed traffic and legitimate requests, so the victim replies to the spoofed source IP addresses. These spoofed IP addresses were not the actual sources of the attack traffic, so they receive responses to traffic they never sent. By measuring this response traffic to a large portion of IP addresses (roughly a /8 network), it is possible to estimate a lower bound for the overall volume of spoofed source denial-of-service attacks occurring on the Internet.

The dataset consists of collections of responses to spoofed traffic sent by denial-of-service attack victims and received by the UCSD Network Telescope. Data was collected between 2001 and 2008. Destinations on the UCSD Network Telescope are anonymized by zeroing the first octet of the IP address. The source addresses (representing denial-of-service attack victims) were not modified.

The collections were made on:

2001: February 2 to August 15

2002: May 9 to June 15, December 11 to 19

2003: November 6 to November 11

2004: February 25 to March 6, May 26 to June 3, August 26 to September 3, November 24 to December 2

2005: February 23 to March 3, May 25 to June 2, August 24 to September 1, November 23 to December 1

2006: February 22 to March 2, May 24 to June 1, August 23 to 31, November 22 to 30

2007: January 8 to 11, February 21 to March 1, May 23 to 31, August 23 to 30, November 20 to 29

2008: February 20 to 28, March 18 to 19, May 21 to 29, August 20 to 28, November 12 to 19

This data for 2001 through 2003, and February/March 2004, were used in the paper:

Caveats that apply to this dataset:

This dataset does not contain any traffic between the attacker
and the attack victim. It contains only responses from the
attack victim that went back to other IP addresses.

Not everything in this dataset is a denial-of-service attack.
The trace is limited to unidirectional, unsolicited response
traffic, but some (rarely used) forms of scanning and a
variety of misconfigured or broken equipment can cause
response traffic to be misrouted to other IP address space.

This dataset and the types of denial-of-service attack
traffic contained therein are representative only of some
spoofed source denial-of-service attacks. Many
denial-of-service attackers do not spoof source IP addresses
when they attack their victim. Under highly disruptive
attacks, victims may be limited or prevented from responding
at all to requests. Also, Attackers can spoof in a non-random
fashion, causing responses from spoofed source address attack
traffic to go to some, but not all IP address space. If our
/8 Network Telescope block was not a part of the spoofed
address space, these traces will not see responses from the
victims.

if you have an account, follow the IMPACT instructions for requesting
the dataset

As specified in TOU, if you use this dataset in any publication (including
but not limited to: papers, web pages, presentations, and papers published by
a third party), you must include the following reference: